7 LAWS OF IDENTITY THE CASE FOR PRIVACY-EMBEDDED LAWS OF IDENTITY IN THE DIGITAL AGE

Size: px
Start display at page:

Download "7 LAWS OF IDENTITY THE CASE FOR PRIVACY-EMBEDDED LAWS OF IDENTITY IN THE DIGITAL AGE"

Transcription

1 7 LAWS OF IDENTITY THE CASE FOR PRIVACY-EMBEDDED LAWS OF IDENTITY IN THE DIGITAL AGE Ann Cavoukian, Ph.D. Information and Privacy Commissioner of Ontario

2 Commissioner Ann Cavoukian gratefully acknowledges the work of Fred Carter, Senior Policy and Technology Advisor at the IPC, in the preparation of this paper.

3

4 T A B L E O F C O N T E N T S Introduction 3 Identity and Privacy 4 Digital Identity and Privacy: The Challenge 5 The Need for Identity Management 5 Identity is Contextual 6 The Internet s Problems are Often Identity Problems 7 What is Needed: An Identity Metasystem 8 Architecture of a Proposed Solution 8.Net Passport 10 Cardspace and Information Cards 11 Privacy Analysis and Commentary on the 7 Laws of Identity 13 Laws of Identity 14 Conclusions 16 APPENDIX A: Fair Information Practices 17 APPENDIX B: Information Sources and Reading Materials 18

5 B A C K D R O P The existing identity infrastructure of the Internet is no longer sustainable. The level of fraudulent activity online has grown exponentially over the years and is now threatening to cripple e-commerce. Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise. Enter the 7 Laws of Identity: could this be the answer? Read on. Ann Cavoukian, Ph.D. Information and Privacy Commissioner of Ontario Privacy-Embedded Identity in the Digital Age 1

6 2 Privacy-Embedded Identity in the Digital Age

7 I N T R O D U C T I O N This paper recognizes and is inspired by the 7 Laws of Identity formulated on an open blog by a global community of experts through the leadership of Kim Cameron, Chief Identity Architect at Microsoft. The Office of the Information and Privacy Commissioner of Ontario is convinced that the 7 Laws (a.k.a. technologically-necessary principles of identity management ) will profoundly shape the architecture and growth of a universal identity metasystem. The resulting Identity Big Bang will hopefully enable the Internet to evolve to the next level of trust and capability. A universal identity metasystem will also have profound impacts on privacy since the digital identities of people and the devices associated with them constitute personal information. Care must be taken that a universal, interoperable identity metasystem does not get distorted and become an infrastructure of universal surveillance. We have always advocated that privacy be built into the design and operation of information systems and technologies. We do this by applying the privacy principles expressed in the Fair Information Practices in a systematic way. (See Appendix A) We are struck by the many similarities between the 7 Laws of Identity and the fair information practices. The two sets of fundamental principles are highly complementary and inform each other. This document is the result of our mapping fair information practices over the 7 Laws of Identity to explicitly extract their privacy-protective features. The result, which we call the privacy-embedded Laws of Identity, is a commentary on the Laws that teases-out the privacy implications, for all to consider. The privacy-embedded Laws of Identity are intended to inject privacy considerations into discussions involving identity specifically, into the emerging technologies that will define an interoperable identity system. We believe that privacy is woven through the 7 Laws and that when the Laws are applied, exciting new privacy options will become possible. However, there is nothing inevitable about privacyenhanced identification and authentication options. An identity metasystem (described by the 7 Laws) is a necessary but not sufficient condition for privacy-enhancing options to be developed. The missing ingredients are knowledge and desire. If privacy design options for identity systems can be identified and promoted, then it is possible that a universal identity metasystem will emerge that has built-in respect for privacy and data protection, before it s too late. Privacy-Embedded Identity in the Digital Age 3

8 I D E N T I T Y A N D P R I V A C Y Identity and privacy are closely related. Generally speaking, when your identity is not known, you tend to have more privacy. When you pay cash for a coffee, your identity is that of an anonymous consumer. When you buy coffee with an anonymous pre-paid coffee card, your identity becomes that of a loyal patron. But, when your name and address are linked to a pre-paid coffee card, all of your coffee purchases may be linked to you, as an identifiable individual. Information that can be linked to an identifiable individual is considered to be personal information. Privacy refers to the claim or right of individuals to exercise a measure of control over the collection, use and disclosure of their personal information. When your personal information is mishandled, your privacy interests are engaged. Protecting and promoting individual privacy is a real challenge in an era of exponential creation, networking and duplication of data, most of which is identifiable in nature. There is more personal information out there than ever before, and most of it is controlled by others. Increasingly we have little control over our own information. Identification requirements are everywhere, and increasing. We all have multiple identities which need to be managed. In the online digital environment, however, the identity challenges are greater, since identification demands are becoming more frequent. Increasingly, more and more granular information is being collected about us by others, and this data is being used in novel ways, for novel purposes not all of which benefit the individual. There is a growing disjunct with the bricks-and-mortar world where, for example, we can often demonstrate our identity (or credentials) by simply waving an ID document for visual inspection. But in the faceless online world, our identification credential is often recorded in databases, compared or collated with other data, and stored indefinitely for further uses. At the same time, the identity of other entities online is becoming harder to verify. We often simply do not know who we are truly dealing with online, or how accountable they are with respect to the handling of our personal information. 4 Privacy-Embedded Identity in the Digital Age

9 D I G I T A L I D E N T I T Y A N D P R I V A C Y: T H E C H A L L E N G E For users and businesses alike, the Internet continues to be increasingly valuable. More people are using the web for everyday tasks, from shopping, banking, and paying bills to consuming media and entertainment. E-commerce opportunities are growing, with businesses delivering more services and content across the Internet, communicating and collaborating online, and inventing new ways to connect with each other. But as the value of what people do online has increased, the Internet itself has become more complex, vulnerable, and dangerous. Online identity theft, fraud, and privacy concerns are on the rise, stemming from increasingly sophisticated practices such as phishing, spear-phishing, and pharming. Keeping track of multiple accounts, passwords and authentication methods is difficult and frustrating for users. Password fatigue results in insecure practices such as re-using the same account names and passwords at many sites. T H E N E E D F O R I D E N T I T Y M A N A G E M E N T Identity management is a hot topic these days, but what exactly is it? The term does not have a clearly defined meaning, but technology-based identity management, in its broadest sense, refers to the administration and design of identity attributes, credentials, and privileges. Identity management may be carried out centrally by others, as in the case of organizations that assign log on credentials to individuals to facilitate and control access to critical resources. When you leave the organization, your network identity and associated privileges are revoked by the system administrator. This is often called enterprise identity management or, more simply, provisioning. Centralized identity management may also occur beyond the enterprise, as when governments issue national identity cards for use in multiple scenarios, or in some online single-sign-on schemes such as Microsoft.Net Passport service. Another form of identity management is user-centric which seeks to place administration and control of identity information directly into the hands of individuals. Examples include network anonymization tools and form fillers that minimize disclosure of personal information, or password managers that securely keep track of different credentials. In the real world, a wallet full of different identity cards is a user-centric form of identity management that allows individuals to choose the appropriate identity credential for the right purposes, such as a coffee card for coffee and a student Privacy-Embedded Identity in the Digital Age 5

10 ID card for discounts. Individuals can exercise control over how the information on those cards is read and used by others. A third type of identity management, commonly referred to as federated, is a hybrid of the two. In such systems, one s identity credentials are divided and spread out among many parties, with users controlling how they are shared and used. Some single sign-on schemes can work this way. The ability to authorize a government agency to share change-of-address information with other departments may be another. The risks to privacy can be offset by careful choice of trusted identity providers, and by greater convenience and efficiencies for users. All three types of identity management systems are necessary, depending on the context. Identity is highly contextual. Consider that the identities held by a person in the offline world can range from the significant, such as birth certificates, passports, and drivers licenses, to the trivial, such as business cards or frequent user buyer s cards. People use their different forms of identification in different contexts where they are accepted. I D E N T I T Y I S C O N T E X T U A L Personal information provided in different contexts will vary. Identities may be used in or out of context. Identities used out of context generally do not bring desired results. For example, trying to use a coffee card to cross a border is clearly out of context. On the other hand, using a bank card at an ATM, a government-issued ID at a border, a coffee card at a coffee shop, and a MS.Net Passport account at MSN Hotmail are all clearly in context. In some cases, the distinction is less clear. You could conceivably use a government-issued ID at your ATM instead of a bank-issued card, but if this resulted in the government having knowledge of each financial transaction, many people would be uncomfortable. You could use a Social Insurance or Social Security Number as a student ID number, but that has significant privacy implications, such as facilitating identity theft. And you can use a.net Passport account at some non-microsoft sites, but few sites chose to enable this; even where it was enabled, few users did so because they felt that Microsoft s participation in these interactions was out of context. Numerous digital identity systems have been introduced, each with its own strengths and weaknesses. But no one single system meets the needs of every digital identity scenario. Even if it were possible to create one system that did so, the reality is that many different identity systems are in use today, with still more being invented. As a result, the current state of digital identity on the Internet is an inconsistent patchwork of ad hoc solutions that burdens people with different user experiences at every web site, renders the system as a whole fragile, and constrains the fuller realization of the promise of e-commerce. 6 Privacy-Embedded Identity in the Digital Age

11 T H E I N T E R N E T S P R O B L E M S A R E O F T E N I D E N T I T Y P R O B L E M S Many of the problems facing the Internet today stem from the lack of a widely deployed, easily understood, secure identity solution. A comparison between the bricks-and-mortar world and the online world is illustrative: In the bricks-and-mortar world you can tell when you are at a branch of your bank. It would be very difficult to set up a fake bank branch and convince people to do transactions there. But in today s online world it is trivial to set up a fake banking site (or e-commerce site ) and convince a significant portion of the population that it s the real thing. This is an enormous identity problem. Web sites currently do not have reliable ways of identifying themselves to people, thus enabling impostors to flourish. What is needed is reliable site-to-user authentication, which aims to make it as difficult to produce counterfeit services in the online world, as it is to produce them in the physical world. Conversely, problems identifying users to sites also abound. Username/password authentication is the prevailing paradigm, but its weaknesses are all too evident on today s Internet. Password reuse, insecure passwords, and poor password management practices open a world of attacks, in and of themselves. Combine that with the password theft attacks enabled by counterfeit web sites, and man-in-the-middle attacks, and today s Internet is an attacker s paradise. The consequences of these problems are severe and growing. The number of phishing attacks and sites has skyrocketed. There are reports that online banking activity is declining. Recent regulatory guidance on authentication in online banking reports that Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. [FFIEC 05] Consumer trust of the Internet is low and ever-dropping. [NCL 06] Clearly, the status quo is no longer a viable option. Privacy-Embedded Identity in the Digital Age 7

12 W H A T I S N E E D E D : A N I D E N T I T Y M E T A S Y S T E M Given that universal adoption of a single digital identity system or technology is unlikely to occur, a successful and widely deployed identity solution for the Internet requires a different approach one with the capability to connect existing and future identity systems into an identity metasystem. A metasystem, or system of systems, would leverage the strengths of its constituent identity systems, provide interoperability between them, and enable the creation of a consistent and straightforward user interface to all of them. The resulting improvements in cyberspace would benefit everyone, ultimately making the Internet a safer place with the potential to boost e-commerce, combat phishing, and solve other digital identity challenges. An identity metasystem could make it easier for users to stay safe and in control when accessing resources on the Internet. It could allow users to select from among a portfolio of their digital identities and use them for Internet services of their choice, where they are accepted. A metasystem could enable identities provided by one identity system technology to be used within systems based on different technologies, provided that an intermediary exists that understands both technologies and is capable and trusted to do the needed translations. It is important to note that the role of an identity metasystem is not to compete with or replace the identity systems that it connects. Rather, a metasystem should rely on the individual systems in play to do its work! A R C H I T E C T U R E O F A P R O P O S E D S O L U T I O N By definition, in order for a digital identity solution to be successful, it needs to be understood in all the contexts when you may wish to use it to identify yourself. Identity systems are all about identifying yourself (and your things) in environments that are not yours. For this to be possible, both your systems and the systems that are not yours those where you need to digitally identify yourself must be able to speak the same digital identity protocols, even if they are running different software on different platforms. Such a solution, in the form of an identity metasystem, has already been proposed, and some implementations are well under way. The identity metasystem is based upon an underlying set of principles called the Laws of Identity. The Laws are intended to codify a set of fundamental principles to which a universally adopted, sustainable identity architecture must conform. The Laws were proposed, debated, and refined through a long-running, open, and continuing dialogue on the 8 Privacy-Embedded Identity in the Digital Age

13 Internet by the major players in the identity field. Taken together, the Laws are key to defining the overall architecture of the identity metasystem. Because these Laws were developed through an open consensus process among experts and stakeholders, they reflect a remarkable convergence of interests, and are non-proprietary in nature. As a result, they have been endorsed and adopted by a long and growing list of industry organizations, associations, and technology developers. By allowing different identity systems to work together in concert, with a single user experience, and a unified programming paradigm, the metasystem shields users and developers from concerns about the evolution and market dominance of specific underlying systems, thereby reducing everyone s risk and increasing the speed with which the technology can evolve. It is our sincere belief that the 7 Laws of Identity and the identity metasystem they describe represent significant contributions to improving security and privacy in the online world and, as such, are worthy of closer study, support and broad adoption by the privacy community. We are particularly struck by the parallels with the fair information practices ( FIPs ), which set forth universal principles that both establish and confer broad rights on individuals with respect to the collection, use, and disclosure of their personal information by others, and at the same time set out broad responsibilities for organizations in respect to their collection, use and disclosure of personal information. The FIPs have served as the basis for privacy and data protection laws around the world, and yet are versatile enough to be used to guide the design, development and operation of information technologies and systems in a privacy-enhancing manner. We are impressed with how the Laws of Identity seek to put users in control of their own identities, their personal information, and their online experiences. In the metasystem, users decide how much information they wish to disclose, to whom, and under what circumstances, thereby enabling them to better protect their privacy. Strong two-way authentication of identity providers and relying parties helps address phishing and other forms of fraud. Identities and accompanying personal information can be securely stored and managed in a variety of ways, including via the online identity provider service of the user s choice, or on the user s PC, or in other devices such as secure USB keychain storage devices, smartcards, PDAs, and mobile phones. Further, the identity metasystem enables a predictable, uniform user experience across multiple identity systems. It extends to and integrates the human user, thereby helping to secure the machinehuman channel. Participants in the identity metasystem may include anyone or anything that uses, participates in, or relies upon identities in any way, including, but not limited to existing identity systems, corporate identities, government identities, Liberty federations, operating systems, mobile devices, online services, and smartcards. Again, the possibilities are only limited by innovators imaginations. An example of a universal identity system that did NOT conform with the Laws of Identity is illustrative. Privacy-Embedded Identity in the Digital Age 9

14 . N E T PA S S P O R T Until now, Microsoft s best-known identity effort was almost certainly the Passport Network, best known to millions of Internet users as a single sign-on identity system that stored users personal information centrally. The identity metasystem is different from the original version of Passport in several fundamental ways. The metasystem stores no personal information, leaving it up to individual identity providers to decide how and where to store that information. The identity metasystem is not an online identity provider for the Internet; indeed, it provides a means for all identity providers to co-exist with and compete with one another all having equal standing within the metasystem. And while Microsoft charged companies to use the original version of Passport, no-one will be charged to participate in the identity metasystem. In fairness, the Passport system itself has evolved in response to these experiences. It no longer stores personal information other than username/password credentials. Passport is now an authentication system targeted at Microsoft sites and those of close partners a role that is clearly in context, and one which users and partners are more comfortable. Passport and MSN plan to implement support for the identity metasystem as an online identity provider for MSN and its partners. Passport users will receive improved security and ease of use, and MSN Online partners will be able to interoperate with Passport through the identity metasystem. An example of one desktop application, currently in development, that does embody the 7 Laws of the identity metasystem is also illustrative. 10 Privacy-Embedded Identity in the Digital Age

15 C A R D S PA C E A N D I N F O R M A T I O N C A R D S Microsoft, among others, is building user software that conforms to the 7 Laws of the identity metasystem. The Cardspace identity selector is a Windows component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user s digital identities and maintain end-user control. Each digital identity managed in Cardspace (comparable to a virtual card holder) is represented by a visual information card in the user interface. The user selects identities represented by information cards to authenticate to participating services. Figure 1: Identity Selector Screen: Information Cards Many identity attacks succeed because the user was fooled by something presented on the screen, not because of insecure communication technologies. For example, phishing attacks occur not in the secured channel between web servers and browsers a channel that might extend thousands of miles but in the two or three feet between the browser and the human who uses it. The identity metasystem, therefore, seeks to empower users to make informed and reasonable identity decisions by enabling the use of a consistent, comprehensible, and self-explanatory user interface for making those choices. Privacy-Embedded Identity in the Digital Age 11

16 As Figure 1 illustrates, users can be in control of their identity interactions (see Laws 1 & 2) by being able to choose which identities to use at which services, by knowing what information will be disclosed to those services if they use them, and by being informed how those services will use the information they disclose. To be in control, you must first be able to understand the choices you are presented with (see Laws 6 & 7). Unless users can be brought into the identity solution as informed, functioning components of the solution, able to consistently make good choices on their own behalf, the problem will not be solved. Information cards have several key advantages over username/password credentials: No weak, reused, lost, forgotten or stolen credentials: Because no password is typed in or sent, passwords cannot be stolen or forgotten. Better site authentication; less phishing: Because authentication can be based on unique keys generated for every information card/site pair, the keys known by one site are useless for authentication purposes at another, even for the same information card. This directly addresses the phishing and fake website problems. Data Minimization: Because information cards can re-supply identity information or claim values (e.g., name, address, and address) to other sites with whom they are dealing, those sites don t need to store this data between sessions. Retaining less data, or data minimization, means that sites have fewer vulnerabilities. (See Law 2.) Consistent Interface = Better choices: Programs like Cardspace implement a standard user interface for working with digital identities. Perhaps the most important part of this interface, the screen used to select an identity to present to a site, is shown in the Figure above. There are many information card systems. It is worth noting that, by extending the real-world visual metaphors and cues of the wallet containing various cards and credentials, information card software such as that by Microsoft makes it possible for users to be in better control of their digital identities. We encourage interested readers to read the seminal whitepapers freely available at which further explain and clarify the Laws of Identity and information cards in greater detail. Let us now turn to the privacy features embedded in the identity metasystem. 12 Privacy-Embedded Identity in the Digital Age

17 P R I V A C Y A N A LY S I S A N D C O M M E N T A R Y O N T H E 7 L A W S O F I D E N T I T Y In light of the preceding discussion and the identity challenges and opportunities that lie ahead, we carried out the following privacy analysis and commentary on the 7 Laws of Identity (and, by extension, on the identity metasystem that those laws collectively describe). The following chart is the summary result of our efforts to map fair information practices to the Laws of Identity, in order to explicitly extract their privacy-protective features. The result is a commentary on the Laws that teases-out their privacy implications, for all to consider. In brief, the privacy-embedded Laws of Identity, when implemented, offer individuals: easier and more direct user control over their personal information when online; enhanced user ability to minimize the amount of identifying data revealed online; enhanced user ability to minimize the linkage between different identities and actions; enhanced user ability to detect fraudulent messages and web sites, thereby minimizing the incidence of phishing and pharming. Privacy-Embedded Identity in the Digital Age 13

18 L A W S O F I D E N T I T Y The 7 Laws of Identity LAW #1: USER CONTROL AND CONSENT Technical identity systems must only reveal information identifying a user with the user s consent. 7 Privacy-Embedded Laws of Identity LAW #1: PERSONAL CONTROL AND CONSENT Technical identity systems must only reveal information identifying a user with the user s consent. Personal control is fundamental to privacy, as is freedom of choice. Consent is pivotal to both. Consent must be invoked in the collection, use and disclosure of one s personal information. Consent must be informed and uncoerced, and may be revoked at a later date. LAW #2: MINIMAL DISCLOSURE FOR A CONSTRAINED USE The identity metasystem must disclose the least identifying information possible, as this is the most stable, long-term solution. LAW #2: MINIMAL DISCLOSURE FOR LIMITED USE: DATA MINIMIZATION The identity metasystem must disclose the least identifying information possible, as this is the most stable, long-term solution. It is also the most privacy protective solution. The concept of placing limitations on the collection, use and disclosure of personal information is at the heart of privacy protection. To achieve these objectives, one must first specify the purpose of the collection and then limit one s use of the information to that purpose. These limitations also restrict disclosure to the primary purpose specified, avoiding disclosure for secondary uses. The concept of data minimization bears directly upon these issues, namely, minimizing the collection of personal information in the first instance, thus avoiding the possibility of subsequent misuse through unauthorized secondary uses. LAW #3: JUSTIFIABLE PARTIES Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. LAW #3: JUSTIFIABLE PARTIES: NEED TO KNOW ACCESS Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. This is consistent with placing limitations on the disclosure of personal information, and only allowing access on a need-to-know basis. Only those parties authorized to access the data, because they are justifiably required to do so, are granted access. 14 Privacy-Embedded Identity in the Digital Age

19 The 7 Laws of Identity LAW #4: DIRECTED IDENTITY A universal identity metasystem must support both omnidirectional identifiers for use by public entities and unidirectional identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. LAW #5: PLURALISM OF OPERATORS AND TECHNOLOGIES A universal identity solution must utilize and enable the interoperation of multiple identity technologies run by multiple identity providers. LAW #6: HUMAN INTEGRATION The identity metasystem must define the human user to be a component of the distributed system, integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. LAW #7: CONSISTENT EXPERIENCE ACROSS CONTEXTS The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. 7 Privacy-Embedded Laws of Identity LAW #4: DIRECTED IDENTITY: PROTECTION AND ACCOUNTABILITY A universal identity metasystem must be capable of supporting a range of identifiers with varying degrees of observability and privacy. Unidirectional identifiers are used by the user exclusively for the other party, and support an individual s right to minimize data linkage across different sites. This is consistent with privacy principles that place limitations on the use and disclosure of one s personal information. At the same time, users must also be able make use of omnidirectional identifiers provided by public entities in order to confirm who they are dealing with online and, thereby ensure that that their personal information is being disclosed appropriately. To further promote openness and accountability in business practices, other types of identifiers may be necessary to allow for appropriate oversight through the creation of audit trails. LAW #5: PLURALISM OF OPERATORS AND TECHNOLOGIES: MINIMIZING SURVEILLANCE The interoperability of different identity technologies and their providers must be enabled by a universal identity metasystem. Both the interoperability and segregation of identity technologies may offer users more choices and control over the means of identification across different contexts. In turn, this may minimize unwanted tracking and profiling of personal information obtained through surveillance of visits across various sites. LAW #6: THE HUMAN FACE: UNDERSTANDING IS KEY Users must figure prominently in any system, integrated through clear human-machine communications, offering strong protection against identity attacks. This will advance user control, but only if users truly understand. Thus, plain language in all communications used to interface with individuals is key to understanding. Trust is predicated on such understanding. LAW #7: CONSISTENT EXPERIENCE ACROSS CONTEXTS: ENHANCED USER EMPOWERMENT AND CONTROL The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. We return full circle to the concept of individual empowerment and informed consent. Clear interfaces, controls and options that enhance an individual s ability to exercise control across multiple contexts in a reliable, consistent manner will serve to enhance the principle of informed consent. Privacy-Embedded Identity in the Digital Age 15

20 C O N C L U S I O N S The Internet was built without a way to know who and what individuals are communicating with. This limits what people can do and exposes computer users to potential fraud. If nothing is done, the result will be rapidly proliferating episodes of theft and deception that will cumulatively erode public trust. That confidence is already eroding as a result of spam, phishing, pharming and identity theft, which leaves online consumers vulnerable to the misuse of their personal information and minimizes the future potential of e-commerce. The privacy-embedded 7 Laws of Identity supports the global initiative to empower consumers to manage their own digital identities and personal information in a much more secure, verifiable and private manner. Identity systems that are consistent with the privacy-embedded 7 Laws of Identity will help consumers verify the identity of legitimate organizations before they decide to continue with an online transaction. Consumers today are being spammed, phished, pharmed, hacked and otherwise defrauded out of their personal information in alarming numbers, in large part because there are few reliable ways for them to distinguish the good guys from the bad. E-commerce providers are taking note of this trend because declining consumer confidence and trust are especially bad for business. The next generation of intelligent and interactive web services ( Web 2.0 ) will require more, not fewer, verifiable identity credentials, and much greater mutual trust in order to succeed. Just as the Internet emerged from connecting different proprietary networks, an Identity Big Bang is expected to happen once an open, non-proprietary and universal method to connect identity systems and ensure user privacy is developed, in accordance with universal privacy principles. Already, there is a long and growing list of companies and individuals that endorse the 7 Laws of Identity and are working towards developing identity systems that conform to them. Participants include e-commerce sites, financial institutions, governments, Internet service providers, mobile telephony operators, certificate authorities, and software vendors for a broad range of platforms. Our efforts to describe the 7 privacy-embedded Laws of Identity are intended to inject privacy considerations into discussions involving identity specifically, into the emerging technologies that will define an interoperable identity system. We hope that our commentary will stimulate broader discussion across the Internet blogosphere and among the identerati. We also hope that software developers, the privacy community and public policymakers will consider the 7 privacy-embedded Laws of Identity closely, discuss them publicly, and take them to heart. Promoting privacy-enhanced identity solutions at a critical time in the development of the Internet and e-commerce will enable both privacy and identity to be more strongly protected. 16 Privacy-Embedded Identity in the Digital Age

The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution

The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution Position paper for the W3C Workshop on Transparency and Usability of Web Authentication New York City, March 2006 Michael

More information

Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines)

Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines) Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines) Information and Privacy Ann Cavoukian, Ph.D. Commissioner June 2006 Commissioner Ann Cavoukian gratefully acknowledges the work

More information

Distributed Identification and Consumer Data Protection. Khaja Ahmed Microsoft Corporation

Distributed Identification and Consumer Data Protection. Khaja Ahmed Microsoft Corporation Distributed Identification and Consumer Data Protection Khaja Ahmed Microsoft Corporation Threats to Online Safety Consumer privacy has steadily declined as internet use grew over the years Greater use

More information

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D. Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada Purpose: This document provides

More information

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1

More information

Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Ann Cavoukian, Ph.D. Information & Privacy Commissioner, Ontario, Canada Purpose: This document

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Christina Stephan, MD Co-Chair Liberty Alliance ehealth SIG National Library of Medicine

More information

Information Security Group Active-client based identity management

Information Security Group Active-client based identity management Active-client based identity management Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements This is joint work with Haitham Al-Sinani, also of Royal Holloway. 2

More information

IDENTITY AND RESILIENCE

IDENTITY AND RESILIENCE IDENTITY AND RESILIENCE Background With the advent of the era of the Internet and globalization, empowered individuals and groups have emerged who use global interconnectedness and anonymity to engage

More information

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES EXTENDED VALIDATION SSL CERTIFICATES: A STANDARD FOR TRUST...1 Who Do You Trust?...1 The

More information

Protecting Online Gaming and e-commerce Companies from Fraud

Protecting Online Gaming and e-commerce Companies from Fraud Protecting Online Gaming and e-commerce Companies from Fraud White Paper July 2007 Protecting Online Gaming and e-commerce Companies from Fraud Overview In theory, conducting business online can be efficient

More information

Identity Management. Critical Systems Laboratory

Identity Management. Critical Systems Laboratory Identity Management Critical Systems What is Identity Management? Identity: a set of attributes and values, which might or might not be unique Storing and manipulating identities Binding virtual identities

More information

Securing corporate assets with two factor authentication

Securing corporate assets with two factor authentication WHITEPAPER Securing corporate assets with two factor authentication Published July 2012 Contents Introduction Why static passwords are insufficient Introducing two-factor authentication Form Factors for

More information

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information: Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal

More information

Position Paper e-payments

Position Paper e-payments Position Paper e-payments 10 Recommendations for a Stronger e-payments Landscape in Europe www.ecommerce-europe.eu POSITION PAPER 3 Introduction: Ecommerce Europe Ecommerce Europe (www.ecommerce-europe.eu)

More information

Guide to Evaluating Multi-Factor Authentication Solutions

Guide to Evaluating Multi-Factor Authentication Solutions Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor

More information

Position Paper Ecommerce Europe. E-Payments 2012

Position Paper Ecommerce Europe. E-Payments 2012 Position Paper Ecommerce Europe E-Payments 2012 Contents Introduction: Ecommerce Europe 3 1. Payments from the merchants perspective 5 2. Market outlook 6 3. Card-based payments and related fraud issues

More information

OIG Fraud Alert Phishing

OIG Fraud Alert Phishing U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION Washington, D.C. 20507 Office of Inspector General Aletha L. Brown Inspector General July 22, 2005 OIG Fraud Alert Phishing What is Phishing? Phishing is a

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

Evolution from FTP to Secure File Transfer

Evolution from FTP to Secure File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Evolution from FTP to Secure File Transfer www.ipswitchft.com Do you know where your organization s confidential and sensitive files were transferred today? Are you sure

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE Checklist for taking personally identifiable information (PII) out of the workplace: q Does your organization s policy permit the removal of PII from the office?

More information

On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems

On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems Ginés Dólera Tormo Security Group NEC Laboratories Europe Email: gines.dolera@neclab.eu

More information

Privacy Breach Protocol

Privacy Breach Protocol & Privacy Breach Protocol Guidelines for Government Organizations www.ipc.on.ca Table of Contents What is a privacy breach? 1 Guidelines on what government organizations should do 2 What happens when the

More information

Encrypting Personal Health Information on Mobile Devices

Encrypting Personal Health Information on Mobile Devices Ann Cavoukian, Ph.D. Information and Privacy Commissioner/Ontario Number 12 May 2007 Encrypting Personal Health Information on Mobile Devices Section 12 (1) of the Personal Health Information Protection

More information

Building Consumer Trust Internet Payments

Building Consumer Trust Internet Payments Building Consumer Trust Internet Payments Leading Co-Chair (Europe/Africa): Co-Chair (Asia/Oceania): Hermann-Josef Lamberti Executive Vice President & Member of the Board Deutsche Bank Toshiro Kawamura

More information

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP 1. Identity Ecosystem Steering Group Charter The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy), signed by President

More information

Privacy in the Cloud A Microsoft Perspective

Privacy in the Cloud A Microsoft Perspective A Microsoft Perspective November 2010 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft

More information

FIDO: Fast Identity Online Alliance Privacy Principles Whitepaper vfeb2014

FIDO: Fast Identity Online Alliance Privacy Principles Whitepaper vfeb2014 FIDO: Fast Identity Online Alliance Privacy Principles Whitepaper vfeb2014 The FIDO Alliance: Privacy Principles Whitepaper Page 1 of 7 FIDO Privacy Principles Introduction The FIDO Alliance is a non-profit

More information

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT) Page 1 of 6 IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT) I. Understanding the need for privacy in the IT environment A. Evolving

More information

DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers

DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction

More information

IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Office of the CIO

IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Office of the CIO IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Contact: Peter Watkins Phone: 250 387-2184 Email: Peter.Watkins@gov.bc.ca

More information

Personal Health Information Privacy Policy

Personal Health Information Privacy Policy Personal Health Information Privacy Policy Privacy Office Document ID: 2478 Version: 6.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2014, ehealth Ontario All rights

More information

Online Privacy: Make Youth Awareness and Education a Priority

Online Privacy: Make Youth Awareness and Education a Priority Online Privacy: Make Youth Awareness and Education a Priority Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada For young people today, going online to connect and interact with

More information

Network-based Access Control

Network-based Access Control Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although

More information

Privacy in the Cloud Computing Era. A Microsoft Perspective

Privacy in the Cloud Computing Era. A Microsoft Perspective Privacy in the Cloud Computing Era A Microsoft Perspective November 2009 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date

More information

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS TABLE OF CONTENTS BEST SECURITY PRACTICES Home banking platforms have been implemented as an ever more efficient 1 channel through for banking transactions.

More information

Identity & Trust Assurance

Identity & Trust Assurance The next generation technologies to Create Trust Online Introducing S.A.F.E. Solution (Secure & Authentic Financial Engagements) Solution Offering Description Identity & Trust Assurance Vision The ecommerce

More information

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to

More information

An Anti-Spam Action Plan for Canada. Industry Canada

An Anti-Spam Action Plan for Canada. Industry Canada An Anti-Spam Action Plan for Canada Industry Canada May 2004 The Problem An Anti-Spam Action Plan for Canada In just a few years, unsolicited commercial e-mail -- now generally known as spam 1 -- has gone

More information

Comparing Identity Management Frameworks in a Business Context

Comparing Identity Management Frameworks in a Business Context Comparing Identity Management Frameworks in a Business Context Jaap-Henk Hoepman, Rieks Joosten, and Johanneke Siljee jaap-henk.hoepman@tno.nl, rieks.joosten@tno.nl, johanneke.siljee@tno.nl TNO, the Netherlands

More information

Consumer Protection Electronic Commerce

Consumer Protection Electronic Commerce for Principles of Consumer Protection Electronic Commerce A Canadian Framework Working Group on Electronic Commerce and Consumers for Principles of Consumer Protection Electronic Commerce A Canadian Framework

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

PRIVATE.ME AIMS TO MAKE PRIVACY POSSIBLE BY RETURNING CONTROL TO USERS AND PROVIDING FORGETFULNESS ACROSS THE INTERNET.

PRIVATE.ME AIMS TO MAKE PRIVACY POSSIBLE BY RETURNING CONTROL TO USERS AND PROVIDING FORGETFULNESS ACROSS THE INTERNET. 2015 PRIVATE.ME AIMS TO MAKE PRIVACY POSSIBLE BY RETURNING CONTROL TO USERS AND PROVIDING FORGETFULNESS ACROSS THE INTERNET. PRIVATE.ME WHITEPAPER THE GROWING CONCERN OF PRIVACY The role and scope of connectivity

More information

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation By Marc Ostryniec, vice president, CSID The increase in volume, severity, publicity and fallout of recent data breaches

More information

M&T BANK CANADIAN PRIVACY POLICY

M&T BANK CANADIAN PRIVACY POLICY M&T BANK CANADIAN PRIVACY POLICY At M&T Bank, we are committed to safeguarding your personal information and maintaining your privacy. This has always been a priority for us and this is why M&T Bank (

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Policy for Social Media Usage in Catawba County

Policy for Social Media Usage in Catawba County Policy for Social Media Usage in Catawba County Adopted March 1, 2010 Revised September 7,2010 1. PURPOSE The role of technology in the 21 st century workplace is constantly expanding and now includes

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Securing Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud

Securing Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud Securing Internet Payments across Europe Guidelines for Detecting and Preventing Fraud Table of Contents Executive Summary Protecting Internet Payments: A Top Priority for All Stakeholders European Central

More information

Opinion and recommendations on challenges raised by biometric developments

Opinion and recommendations on challenges raised by biometric developments Opinion and recommendations on challenges raised by biometric developments Position paper for the Science and Technology Committee (House of Commons) Participation to the inquiry on Current and future

More information

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements Joint White Paper: Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements Submitted Date: April 10, 2013 Submitted

More information

Practical guide for secure Christmas shopping. Navid

Practical guide for secure Christmas shopping. Navid Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security

More information

Network Identity. 1. Introduction. Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi

Network Identity. 1. Introduction. Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi Network Identity Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi Abstract: This paper is concerning on modern Network Identity issues, emphasizing on network identity management,

More information

Welcome to the Protecting Your Identity. Training Module

Welcome to the Protecting Your Identity. Training Module Welcome to the Training Module 1 Introduction Does loss of control over your online identities bother you? 2 Objective By the end of this module, you will be able to: Identify the challenges in protecting

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,

More information

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

PROTECT YOUR COMPUTER AND YOUR PRIVACY! PROTECT YOUR COMPUTER AND YOUR PRIVACY! Fraud comes in many shapes simple: the loss of both money protecting your computer and Take action and get peace of and sizes, but the outcome is and time. That

More information

Boosting interoperability and collaboration across mixedtechnology

Boosting interoperability and collaboration across mixedtechnology Boosting interoperability and collaboration across mixedtechnology environments Standards-based identity federation solutions from Microsoft and Novell May 2009 Executive summary Despite remarkable gains

More information

Phishing Victims Likely Will Suffer Identity Theft Fraud

Phishing Victims Likely Will Suffer Identity Theft Fraud Markets, A. Litan Research Note 14 May 2004 Phishing Victims Likely Will Suffer Identity Theft Fraud Fifty-seven million U.S. adults think they have received a phishing e-mail. More than 1.4 million users

More information

Identity Theft: Take Control of the Inevitable Reality I T A D V I S O R Y

Identity Theft: Take Control of the Inevitable Reality I T A D V I S O R Y Identity Theft: Take Control of the Inevitable Reality I T A D V I S O R Y Discussion Topics Why ID Theft is a significant problem? What is an Identity? Identity Lifecycle Why ID theft occurs? Common means

More information

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION A RECENT SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PARED WITH THE FACT THAT

More information

STRONGER AUTHENTICATION for CA SiteMinder

STRONGER AUTHENTICATION for CA SiteMinder STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive

More information

An Efficient Windows Cardspace identity Management Technique in Cloud Computing

An Efficient Windows Cardspace identity Management Technique in Cloud Computing IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 3, Ver. VII (May-Jun. 2014), PP 61-66 An Efficient Windows Cardspace identity Management Technique

More information

HomeConvenience.com. Creating Trust Online CASE STUDY. Comodo Identity and Trust Assurance Suite. Content Verification Certificate.

HomeConvenience.com. Creating Trust Online CASE STUDY. Comodo Identity and Trust Assurance Suite. Content Verification Certificate. TM Creating Trust Online CASE STUDY HomeConvenience.com Comodo Identity and Trust Assurance Suite Content Verification Certificate Hacker Guardian SSL Certification Corner of Trust Logo Who are HomeConvenience?

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

Security challenges for internet technologies on mobile devices

Security challenges for internet technologies on mobile devices Security challenges for internet technologies on mobile devices - Geir Olsen [geiro@microsoft.com], Senior Program Manager for Security Windows Mobile, Microsoft Corp. - Anil Dhawan [anild@microsoft.com],

More information

The Security Scenario 2005: The Future of Information Security

The Security Scenario 2005: The Future of Information Security The Security Scenario 2005: The Future of Information Security Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with Gartner s official approval.

More information

Dr. rer. nat. Hellmuth Broda

Dr. rer. nat. Hellmuth Broda International Telecommunication Union Privacy, Security, and Trust with Federated Identity Management Dr. rer. nat. Hellmuth Broda Distinguished Director and CTO, Global Government Strategy, Sun Microsystems

More information

Easy, Trusted Online Service Access

Easy, Trusted Online Service Access SOLUTIONS BRIEF Easy, Trusted Online Service Access Making online services more convenient, secure and cost-effective. For many online services, forgotten passwords and new credential set up are the two

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Private cloud computing

Private cloud computing White paper Private cloud computing Increase agility and reduce cost Increasing agility and reducing cost with cloud computing Table of contents 2 A time of big IT trends 3 As if IT needed more challenges

More information

Moving Information: Privacy & Security Guidelines

Moving Information: Privacy & Security Guidelines Information and Privacy Commissioner/ Ontario Moving Information: Privacy & Security Guidelines Ann Cavoukian, Ph.D. Commissioner July 1997 Information and Privacy Commissioner/Ontario 2 Bloor Street East

More information

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks Survey details: More than 5,500 companies in 26 countries around the world

More information

COMMISSION OF THE EUROPEAN COMMUNITIES

COMMISSION OF THE EUROPEAN COMMUNITIES EN EN EN COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, [ ] COM(2006) 251 COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE

More information

SECURING IDENTITIES IN CONSUMER PORTALS

SECURING IDENTITIES IN CONSUMER PORTALS SECURING IDENTITIES IN CONSUMER PORTALS Solution Brief THE CHALLENGE IN SECURING CONSUMER PORTALS TODAY The Bilateral Pull between Security and User Experience As the world becomes increasingly digital,

More information

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for

More information

PRIVACY POLICY. Last updated February 2, 2009 INTRODUCTION

PRIVACY POLICY. Last updated February 2, 2009 INTRODUCTION PRIVACY POLICY Last updated February 2, 2009 INTRODUCTION This Privacy Policy explains how personal information about you may be collected, used, or disclosed by the Canadian Education and Research Institute

More information

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates Creating Trust Online TM Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates January 2007 Setting the stage Banking and doing business

More information

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION 132 3091 COMMISSIONERS: Edith Ramirez, Chairwoman Julie Brill Maureen K. Ohlhausen Joshua D. Wright ) In the Matter of ) DOCKET NO. ) Credit Karma, Inc.,

More information

A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No!

A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No! A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No! Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada THE AGE OF

More information

Privacy by Design: What s Been Happening? Ken Anderson

Privacy by Design: What s Been Happening? Ken Anderson Privacy by Design: What s Been Happening? Ken Anderson Assistant Commissioner (Privacy) Ontario Hong Kong June 13, 2012 Key Definitions Information privacy refers to the right or ability of individuals

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY PURPOSE The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse,

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Device-Centric Authentication and WebCrypto

Device-Centric Authentication and WebCrypto Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the

More information

3. Consent for the Collection, Use or Disclosure of Personal Information

3. Consent for the Collection, Use or Disclosure of Personal Information PRIVACY POLICY FOR RENNIE MARKETING SYSTEMS Our privacy policy includes provisions of the Personal Information Protection Act (BC) and the Personal Information Protection and Electronic Documents Act (Canada),

More information

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,

More information

Strong Authentication. Securing Identities and Enabling Business

Strong Authentication. Securing Identities and Enabling Business Strong Authentication Securing Identities and Enabling Business Contents Contents...2 Abstract...3 Passwords Are Not Enough!...3 It s All About Strong Authentication...4 Strong Authentication Solutions

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity) Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

White paper December 2008. Addressing single sign-on inside, outside, and between organizations

White paper December 2008. Addressing single sign-on inside, outside, and between organizations White paper December 2008 Addressing single sign-on inside, outside, and between organizations Page 2 Contents 2 Overview 4 IBM Tivoli Unified Single Sign-On: Comprehensively addressing SSO 5 IBM Tivoli

More information

Transformative Technologies Deliver Both Security and Privacy: Think Positive-Sum, Not Zero-Sum

Transformative Technologies Deliver Both Security and Privacy: Think Positive-Sum, Not Zero-Sum Transformative Technologies Deliver Both Security and Privacy: Think Positive-Sum, Not Zero-Sum March 2009 Transformative Technologies Deliver Both Security and Privacy Transformative Technologies Deliver

More information

WHITE PAPER CHOOSING THE RIGHT SECURITY SOLUTION: MOVING BEYOND SSL TO ESTABLISH TRUST

WHITE PAPER CHOOSING THE RIGHT SECURITY SOLUTION: MOVING BEYOND SSL TO ESTABLISH TRUST CHOOSING THE RIGHT SECURITY SOLUTION: MOVING BEYOND SSL TO ESTABLISH TRUST CONTENTS 1 INTRODUCTION 1 THE INEVITABLE EVOLUTION OF TECHNOLOGY PLATFORMS 1 EXTENDED VALIDATION (EV) SSL: THE GOLD STANDARD FOR

More information